Drupal released security updates to fix several vulnerabilities resided in the Drupal Core. A remote attacker may send specially crafted requests to bypass the access restrictions or execute arbitrary code in vulnerable systems. The vulnerabilities could also redirect users to a malicious URL created by an authenticated attacker.
A successful attack could lead to security restriction bypass, open redirection and remote code execution on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2018-006
https://www.hkcert.org/my_url/en/alert/18101901
https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates